Access control includes both access authorization and access restriction.
It refers to all the steps that are taken to selectively authorize and restrict
entry, contact, or use of assets. Access authorizations and restrictions are
often established in accordance with business and security requirements.
To make an entity accountable means to assign actions and decisions
to that entity and to expect that entity to be answerable for those actions
and decisions. Therefore, accountability is the state of being answerable
for the actions and decisions that have been assigned.
An analytical model is an algorithm or calculation that combines
one or more base or derived measures with a set of decision criteria.
Analytical models are used to facilitate and support decision making.
An asset is any tangible or intangible thing or characteristic that has value
to an organization. There are many types of assets. Some of these include
obvious things like machines, facilities, patents, and software. But the term
can also include less obvious things like services, information, and people,
and characteristics like reputation and image or skill and knowledge.
An attack is any unauthorized attempt to access, use,
alter, expose, steal, disable, or destroy an asset.
An attribute is any distinctive feature, characteristic, or property of an
object that can be identified or isolated quantitatively or qualitatively
by either human or automated means.
An audit is an evidence gathering process. Evidence is used to evaluate
how well audit criteria are being met. Audits must be objective, impartial,
and independent, and the audit process must be both systematic and
documented. Audits can be internal or external. Internal audits are referred
to as first-party audits while external audits can be either second or third
party. They can also be combined audits (when two or more management
systems of different disciplines are audited together at the same time).
The scope of an audit is a statement that specifies the focus, extent,
and boundary of a particular audit. The scope could be specified by
defining the physical location of the audit, the organizational units
that will be examined, the processes and activities that will be
included, and the time period that will be covered.
Authentication is a process that is used to confirm that a claimed
characteristic of an entity is actually correct. To authenticate is to verify
that a characteristic or attribute that appears to be true is in fact true.
Authenticity is a property or characteristic of an entity.
An entity is authentic if it is what it claims to be.
Availability is a property or characteristic. Something is available if it
is accessible and usable when an authorized entity demands access.
A base measure is both an attribute or property
of an entity and the method used to quantify it.
Business continuity is a corporate capability. An organization is capable
of business continuity whenever it is capable of delivering its products and
services at acceptable predefined levels after disruptive incidents occur.
Organizations use business continuity procedures and processes to help
ensure that operations continue after disruptive incidents occur.
Competence means being able to apply knowledge and skill
to achieve intended results. Being competent means having the
knowledge and skill that you need and knowing how to apply it.
Being competent means that you know how to do your job.
Confidentiality is a characteristic that applies to information. To protect
and preserve the confidentiality of information means to ensure that it
is not made available or disclosed to unauthorized entities. In this
context, entities include both individuals and processes.
Conformity is the “fulfillment of a requirement”. To conform means to meet
or comply with requirements. There are many types of requirements. There
are information security requirements, customer requirements, contractual
requirements, regulatory requirements, statutory requirements, and so on.
A consequence is the outcome of an event. A single event can have
a range of certain or uncertain consequences and these consequences
can influence how well an organization achieves its objectives. In addition,
initial consequences can escalate through knock-on effects.
An organization’s context includes all of the internal and external
issues that are relevant to its purpose and the influence these
issues could have on its ability to achieve the objectives and
outcomes that its ISMS intends to achieve.
An organization’s internal context includes its approach to governance,
its contractual relationships, and its capabilities, culture, and standards.
Governance includes the organization’s structure, policies, objectives,
roles, accountabilities, and decision making process; and capabilities
include its knowledge and its human, technological, capital, and systemic
resources. An organization’s external context includes stakeholder values,
perceptions, and relationships, as well as its social, cultural, political, legal,
regulatory, technological, economic, natural, and competitive environment.
In short, context includes all the internal and external factors and forces that
your information security management system must be able to cope with.
ISO IEC 27001 2013 expects you to consider your organization’s internal
and external context when you define the scope of its information security
management system and when you plan its development.
Continual improvement is a set of recurring activities that are carried
out in order to enhance the performance of processes, products,
services, systems, and organizations.
In the context of information security management, a control is any
administrative, managerial, technical, or legal method that is used
to modify or manage information security risk.
Controls can include things like practices, processes, policies,
procedures, programs, tools, techniques, technologies, devices,
and organizational structures. Controls are sometimes also
referred to as safeguards or countermeasures.
ISO IEC 27001 part 6.13 expects you to select the controls that your
organization needs in order to implement its risk treatment options
and carry out its risk treatment plan. Your list of controls will make
up your Statement of Applicability. See ISO IEC 27001 2013 Annex A
and ISO IEC 27002 2013 for a list of security control options.
An information security control objective is a statement that describes
what your information security controls are expected to achieve.
A correction is any action that is taken to eliminate a nonconformity.
Corrections do not address causes (corrective actions address causes).
Corrective actions are steps that are taken to eliminate the causes of
existing nonconformities in order to prevent recurrence. The corrective
action process tries to make sure that existing nonconformities and
potentially undesirable situations don’t happen again.
The term data is defined as a collection or set of values assigned to
measures or indicators. A measure is a variable made up of values
and an indicator is a measure or variable that is used to evaluate
or estimate an attribute or property of an object.
Decision criteria are factors like thresholds, targets, or patterns. Decision
criteria are used to determine whether action should be taken or whether
further investigation is required before decisions can be made. Decision
criteria are also used to evaluate results and to describe confidence levels.
A derived measure is a measure that is defined as a mathematical
function of two or more values of base measures (a base measure
is both an attribute of an entity and the method used to quantify it).
The term documented information refers to information that
must be controlled and maintained and its supporting medium.
Documented information can be in any format and on any medium
and can come from any source.
Documented information includes information about the management
system and related processes. It also includes all the information that
organizations need to operate and all the information that they use
to document the results that they achieve (aka records).
In short, the term documented information is just a new name for
what used to be called documents and records. But this change is
significant. In the past, documents and records were to be managed
differently. Now the same set of requirements are to be applied to
both documents and records.
Effectiveness refers to the degree to which a planned effect is achieved.
Planned activities are effective if these activities are actually carried out
and planned results are effective if these results are actually achieved.
Efficiency is a relationship between results achieved (outputs) and
resources used (inputs). Efficiency can be enhanced by achieving
more with the same or fewer resources. The efficiency of a process
or system can be enhanced by achieving more or getting better
results (outputs) with the same or fewer resources (inputs).
An event could be one occurrence, several occurrences, or even
a nonoccurrence (when something doesn’t happen that was
supposed to happen). It can also be a change in circumstances.
Events are sometimes referred to as incidents or accidents.
Events always have causes and usually have consequences.
The term executive management (or top management) refers to the
people who are responsible for implementing the strategies and policies
needed to achieve an organization’s purpose. It includes chief executive
officers, chief financial officers, chief information officers, and other similar
roles. Executive managers are given this responsibility by a governing
body (sometimes referred to as a board of directors).
An organization’s external context includes all of the factors and
forces that exist beyond its own boundaries that influence how it tries
to achieve its objectives. It includes its external stakeholders, its local,
national, and international environment, as well as key drivers and trends
that influence its objectives. It includes stakeholder values, perceptions,
and relationships, as well as its social, cultural, political, legal, regulatory,
financial, technological, economic, natural, and competitive environment.
Governance of information security
The governance of information security refers to the system that is used
to direct and control an organization’s information security activities.
The term governing body refers to the people who are responsible
for the overall performance and conformance of an organization.
In the context of this standard, guidelines are the steps that are
taken to achieve objectives and implement policies. Guidelines
clarify what should be done and how.
An indicator is a measure or variable that is used to evaluate or estimate
an attribute or property of an object. Indicators are often derived from
analytical models and are used to address information needs.
An information need is an insight that is necessary or required in order
to solve problems, to manage risks, and to achieve goals and objectives.
Information processing facilities
An information processing facility is any system, service, or infrastructure,
or any physical location that houses these things. A facility can be either
an activity or a place and it can be either tangible or intangible.
The purpose of information security is to protect and preserve the
confidentiality, integrity, and availability of information. It may also
involve protecting and preserving the authenticity and reliability of
information and ensuring that entities can be held accountable.
Information security continuity
Information security continuity refers to an integrated set of policies,
procedures, and processes that are used to ensure that a predefined
level of security continues during a disaster or crisis (when disruptive
incidents occur or adverse situations exist). Continuity is achieved by
identifying potential threats and vulnerabilities, by analyzing possible
impacts, and by taking steps to build organizational resilience.
Information security event
An information security event is a system, service, or network state,
condition, or occurrence that indicates that information security may
have been breached or compromised or that a security policy may
have been violated or a control may have failed.
Information security incident
An information security incident is made up of one or more unwanted or
unexpected information security events that could possibly compromise
the security of information and weaken or impair business operations.
Information security incident management
Information security incident management is a set of processes
that organizations use to deal with information security incidents.
It includes a detection process, a reporting process, an assessment
process, a response process, and a learning process.
Information security management system
An information security management system (ISMS) includes all of the
policies, procedures, documents, records, plans, guidelines, agreements,
contracts, processes, practices, methods, activities, roles, responsibilities,
relationships, tools, techniques, technologies, resources, and structures
that organizations use to protect and preserve information, to manage and
control information security risks, and to achieve business objectives.
An ISMS is part of an organization’s larger management system.
Since the definitions section of ISO IEC 27000 2014 (section 2) does not
formally define the term information security management system (ISMS),
we have used the material found in ISO IEC 27000 2014 section 3.2
(and other sources) to develop our plain English definition.
Information sharing community
An information sharing community is a group of people or
a group of organizations that agree to share information.
An information system is any set of components that is used to handle
information. Information systems include applications, services, or any
other assets that handle information.
Within the narrow context of information security, the term integrity
means to protect the accuracy and completeness of information.
An organization’s internal context includes all of the factors and forces
within its boundaries that influence how it tries to achieve its objectives.
It includes its internal stakeholders, its approach to governance, its
contractual relationships, and its capabilities, culture, and standards.
Governance includes the organization’s structure, policies, objectives,
roles, accountabilities, and decision making process; and capabilities
include its knowledge and its human, technological, capital, and
ISMS projects include all of the work that organizations do to
implement information security management systems (ISMSs).
Level of risk
The level of risk is its magnitude. It is estimated by considering
and combining consequences and likelihoods. A level of risk can
be assigned to a single risk or to a combination of risks.
Likelihood is the chance that something might happen. Likelihood can
be defined, determined, or measured objectively or subjectively and can
be expressed either qualitatively or quantitatively (using mathematics).
The term management refers to all the activities that are used to coordinate,
direct, and control organizations. In this context, the term management
does not refer to people. It refers to what managers do.
A management system is a set of interrelated or interacting elements
that organizations use to establish policies and objectives and all the
processes they need to ensure that policies are followed and objectives
are achieved. These elements include structures, programs, procedures,
plans, documents, records, methods, tools, techniques, technologies,
roles, responsibilities, relationships, agreements, and resources.
There are many types of management systems. Some of these include
information security management systems, quality management systems,
environmental management systems, business continuity management
systems, food safety management systems, risk management systems,
disaster management systems, emergency management systems, and
occupational health and safety management systems.
The scope or focus of a management system could be restricted to
a specific function or section of an organization or it could include
the entire organization. It could even include a function that cuts
across several organizations.
A measure is a variable made up of values. When measurement
is carried out, a value (quantity) is assigned to a variable.
Measurement is a process that is used to determine a value. In the context
of information security management, measurement is a process that is
used to obtain information about the effectiveness of an information
management system (ISMS) and the controls that it uses.
Measurement functions, analytical models, and decision criteria are used to
evaluate measurement results and to decide whether action should be taken
or whether further investigation is required before decisions can be made.
A measurement function is an algorithm or a calculation that combines
two or more base measures. (A base measure is both an attribute or
property of an entity and the method used to quantify it.)
A measurement method is a logical sequence of generic operations that
uses measurement scales to quantify attributes. Measurement methods
use either objective or subjective techniques to quantify attributes.
A measurement result addresses an information need and consists
of one or more indicators together with details that explain how these
indicators are to be interpreted.
To monitor means to determine the status of an activity, process, or
system. In order to determine status, you may need to supervise and
to continually check and critically observe the activity, process, or
system that is being monitored.
Nonconformity is a nonfulfillment or failure to meet a requirement.
A requirement is a need, expectation, or obligation. It can be stated
or implied by an organization or interested parties.
Nonrepudiation techniques and services are used to provide undeniable
proof that an alleged event actually happened or an alleged action
was actually carried out and that these events and actions were actually
carried out by a particular entity and actually had a particular origin.
Nonrepudiation is a way of guaranteeing that people cannot later deny
that an event happened or an action was carried out by an entity.
In this context, an object is any item that has attributes which can
be characterized through measurement. Measurement is a process or
method that is used to obtain information about the effectiveness of an
information management system (ISMS) and the controls that it uses.
An objective is a result you wish to achieve. Objectives can be
strategic, tactical, or operational and can apply to an organization
as a whole or to a system, process, project, product, or service. A
variety of words can be used to express objectives. These include
words like target, aim, goal, purpose, or intended outcome.
An organization can be a single person or a group that achieves its
objectives by using its own functions, responsibilities, authorities,
and relationships. It can be a company, corporation, enterprise, firm,
partnership, charity, or institution and can be either incorporated or
unincorporated and can be either privately or publicly owned. It can
also be a single operating unit that is part of a larger entity.
When an organization makes an arrangement with an outside
organization to perform part of a function or process, it is referred to
as outsourcing. To outsource means to ask an external organization
to perform part of a function or process usually done inhouse.
A performance is a measurable result that is achieved by an
activity, process, product, service, system, or organization.
This definition allows us to consider performance measurements.
It allows us to think about the measurement of organizational
performance, process performance, product performance, service
performance, systemic performance, and so on. Such measurements
can be either quantitative or qualitative.
A policy statement defines a general commitment, direction, or intention.
An information security policy statement should express management’s
formal commitment to the implementation and improvement of its
information security management system (ISMS) and should include
information security objectives or facilitate their development.
A procedure is a way of carrying out a process or activity.
Procedures may or may not be documented. ISO IEC 27001
and 27002 sometimes asks you to document a procedure
and sometimes it leaves it up to you to decide.
A process is a set of activities that are interrelated or that interact with
one another. Processes use resources to transform inputs into outputs.
Records provide evidence that activities have been performed or
results have been achieved. Records always document the past.
Reliability is a property of something and means consistency. Something
is reliable if it behaves consistently or produces consistent results.
A requirement is a need, expectation, or obligation. It can be stated or
implied by an organization, its customers, or other interested parties.
A specified requirement is one that has been stated (in a document for
example), whereas an implied requirement is a need, expectation, or
obligation that is common practice or customary.
Residual risk is the risk left over after you’ve implemented a risk
treatment option. It’s the risk remaining after you’ve reduced the risk,
removed the source of the risk, modified the consequences, changed
the probabilities, transferred the risk, or retained the risk.
A review is an activity. Its purpose is to determine how well the
thing being reviewed is capable of achieving established objectives.
Reviews ask the following question: is the subject of the review a
suitable, adequate, effective, and efficient way of achieving objectives?
A review object is the item or thing being reviewed.
A review objective is a statement that describes
what a review is intended or expected to achieve.
According to ISO 31000, risk is the “effect of uncertainty on objectives”
and an effect is a positive or negative deviation from what is expected.
The following paragraph will explain what this means.
ISO 31000 recognizes that all of us operate in an uncertain world.
Whenever we try to achieve an objective, there’s always the chance
that things will not go according to plan. Every step has an element
of risk that needs to be managed and every outcome is uncertain.
Whenever we try to achieve an objective, we don’t always get the
results we expect. Sometimes we get positive results and sometimes
we get negative results and occasionally we get both. Because of
this, ISO 31000 wants us to reduce uncertainty as much as possible.
Information security risk is often expressed as a combination of two
factors: probability and consequences. It asks two basic questions: what
is the probability that a particular information security event will occur in
the future? And what consequences would this event produce or what
impact would it have if it actually occurred?
Information security risks often emerge because potential security threats
are identified that could exploit vulnerabilities in an information asset or
group of assets and therefore cause harm to an organization.
Risk acceptance means that you’ve deliberately decided that you can
live with or tolerate a particular risk or that you’re prepared to take a
particular risk. Accepted risks should be monitored and periodically
reviewed. While risk acceptance is normally part of the risk treatment
decision making process it can occur outside of this process.
Risk analysis is a process that is used to understand the nature, sources,
and causes of the risks that have been identified and to estimate the level
of risk. Risk analysis results are used to carry out risk evaluations and to
make risk treatment decisions. How detailed your risk analysis ought to
be will depend upon the risk, the purpose of the analysis, the information
you have, and the resources available.
Risk assessment is a process that is, in turn, made up of three
processes: risk identification, risk analysis, and risk evaluation.
Risk identification is a process that is used to find, recognize, and
describe the risks that could affect the achievement of objectives.
Risk analysis is a process that is used to understand the nature,
sources, and causes of the risks that you have identified and to
estimate the level of risk.
Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not
a specified level of risk is acceptable or tolerable.
Risk communication and consultation
Risk communication and consultation is a dialogue between an
organization and its stakeholders. Discussions could be about the
existence of risks, their nature, form, likelihood, and significance,
as well as whether or not risks are acceptable or should be treated,
and what treatment options should be considered.
This dialogue is both continual and iterative. It is a two-way process that
involves both sharing and receiving information about the management
of risk. However, this is not joint decision making. Once communication
and consultation is finished, decisions are made and directions are
established by the organization, not by stakeholders.
Risk criteria are terms of reference and are used to evaluate the
significance or importance of an organization’s risks. They are used to
determine whether a specified level of risk is acceptable or tolerable.
Risk criteria should reflect your organization’s values, policies, and
objectives, should be based on its external and internal context,
should consider the views of stakeholders, and should be derived
from standards, laws, policies, and other requirements.
Risk evaluation is a process that is used to compare risk analysis
results with risk criteria in order to determine whether or not a risk
or a specified level of risk is acceptable or tolerable. Risk evaluation
results are used to help select risk treatment options.
Risk identification is a process that involves finding, recognizing,
and describing the risks that could affect the achievement of an
organization’s objectives. It involves discovering possible sources
of risk in addition to the events and circumstances that could affect
the achievement of objectives; it also includes the identification of
possible causes and potential consequences.
You may use historical data, theoretical analysis, informed opinion,
expert advice, and stakeholder input to identify your risks.
Risk management refers to a coordinated set of activities, methods,
and techniques that organizations use to deal with the risk and
uncertainty that influences how well they achieves their objectives.
Risk management process
A risk management process is one that systematically uses management
policies, procedures, and practices to establish context, to communicate
and consult with stakeholders, and to identify, analyze, evaluate, treat,
monitor, and review risk.
A risk owner is a person or entity that has been given the authority
to manage a particular risk and is accountable for doing so.
Risk treatment is a risk modification process. It involves selecting
and implementing one or more treatment options. Once a risk
treatment option has been implemented, it becomes a control
or it modifies an existing control.
You have many risk treatment options. You can avoid the risk,
you can reduce the risk, you can remove the source of the risk, you
can modify the consequences, you can change the probabilities,
you can share the risk with others, you can simply retain the risk,
or you can even increase the risk in order to pursue an opportunity.
A scale is an ordered set of values. Scales can be distinguished
from one another based on how values on the same scale are
interrelated. There are at least four types of scales: nominal,
ordinal, interval, and ratio.
Nominal scales use categories as values (e.g. female vs. male),
ordinal scales rank values (1st, 2nd, 3rd, 4th, etc.), interval scales
use equal quantities as values (e.g., dates and temperatures),
and ratio scales use values that specify how much or how many
(e.g. duration and length).
Ratio scales are possible because they exploit the fact that
sometimes it makes sense to use zero as a value. Being able
to use a zero value allows you to do calculations and to say
that something is twice as far as something else or takes
three times as long as something else, for example.
Security implementation standard
A security implementation standard is a document that
describes the officially or formally authorized ways in
which security can be achieved or realized.
A stakeholder is a person or an organization that can affect or be
affected by a decision or an activity. Stakeholders also include those
who have the perception that a decision or an activity can affect them.
A third party is any person or body that is recognized as
independent of the people directly involved with an issue.
A threat is a potential event. When a threat turns into an actual
event, it may cause an unwanted incident. It is unwanted because
the incident may harm an organization or system.
The term top management normally refers to the people at
the top of an organization; it refers to the people who provide
resources and delegate authority and who coordinate, direct,
and control organizations. However, if the scope of a management
system covers only part of an organization, then the term top
management refers, instead, to the people who direct and
control that part of the organization.
Trusted information communication entity
A trusted information communication entity is an autonomous
organization that supports the exchange of information between
members of an information sharing community.
Unit of measurement
A unit of measurement is a particular quantity or magnitude that is
used as a standard for comparing measurements of the same kind.
A standard unit of measurement is one that has been defined and
adopted by convention, by agreement, or officially established by law.
Validation is a process. It uses objective evidence to confirm that the
requirements which define an intended use or application have been
met. Whenever all requirements have been met, a validated status is
achieved. The process of validation can be carried out under realistic
use conditions or within a simulated use environment.
Verification is a process that uses objective evidence to confirm
that specified requirements have actually been met. Verification
is sometimes referred to as compliance testing.
A vulnerability is a weakness of an asset or control that
could potentially be exploited by one or more threats.
An asset is any tangible or intangible thing or characteristic
that has value to an organization, a control is any administrative,
managerial, technical, or legal method that can be used to modify
or manage risk, and a threat is any potential event that could
harm an organization or system.